Skip to main content

acl utilities EUVDEUVD-2026-40086

| CVE-2026-54370 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-29 VulnCheck GHSA-r45p-762r-6pqj
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Local-only TOCTOU (AV:L) needing an unprivileged account (PR:L) and a hard-to-win race (AC:H); successful escalation compromises file ACLs/ownership giving high C/I, no direct availability impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 14:20 vuln.today

DescriptionCVE.org

acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.

AnalysisAI

Local privilege escalation in the Linux acl package (libacl/getfacl/setfacl/chacl) before version 2.4.0 lets an unprivileged local user who controls a component of a pathname win a TOCTOU race, redirecting privileged file-ACL operations to arbitrary files. By swapping a path component for a symlink between the lstat() validation and the follow-on stat()/chown()/chmod()/acl_get_file()/acl_set_file() calls, an attacker can manipulate ownership and ACLs on targets they should not control, yielding root-equivalent escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-priv access
Delivery
Create attacker-controlled path component
Exploit
Wait for privileged getfacl/setfacl/chacl run
Execution
Swap component to symlink mid-race
Persist
Redirect ACL/ownership to target file
Impact
Escalate to root

Vulnerability AssessmentAI

Exploitation Exploitation requires local access with low privileges (PR:L) and the ability to control at least one component of a pathname (e.g., a writable parent directory) that a privileged process subsequently passes to getfacl, setfacl, or chacl. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) scores 7.2 (High) and is internally consistent with the description: exploitation is local (AV:L), requires existing low-level access (PR:L), needs no user interaction (UI:N), and is high-complexity (AC:H) because it depends on winning a non-deterministic race window. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a shared Linux host, an unprivileged user creates a directory tree they control and waits for (or triggers) a root cron job or admin script that runs setfacl/chown over that path. They repeatedly swap an intermediate path component for a symlink to /etc or a SUID binary, and on a successful race the privileged ACL/ownership change is applied to the attacker's chosen target, granting them write access and root escalation. …
Remediation Vendor-released patch: upgrade to acl 2.4.0 or later, which contains the upstream fix (commits 3589787cd589b34bdd9265936e17190b6d3f17d1 and 24a227d0ab8576612194f8a56c2314389adc74a5 at https://cgit.git.savannah.nongnu.org/cgit/acl.git/commit/?id=3589787cd589b34bdd9265936e17190b6d3f17d1); on managed distributions apply the vendor's backported acl package update once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running acl package versions before 2.4.0 and assess exposure based on multi-user system inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy